Active Directory UserAccountControl Details
Reference: https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
Reference: https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
Take a domain running multiple versions of Windows domain controllers across multiple AD sites and replicating just fine, add Server 2019 as a DC to the mix, and what do you get? Say it with me now “DCs mostly replicating just fine but KCC re-evaluated connections and one DC is now spamming event 1645 and […]
So you’ve combed through 7 year old TechNet forum posts, cursed the limitations of Event Log Readers group when trying to use Get-WinEvent, and then tried to decipher SDDL to no avail. A treatment for all those woes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
function Add-EventLogAccess { [cmdletbinding(supportsshouldprocess=$true)] param( [ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})] [string]$Identity, [ValidateSet('Application','Security','System')] [string]$LogName, [ValidateSet('RO','RW')] [string]$Permission ) try{ #get original permissions in SDDL format $origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim() #create new SDDL syntax switch($Permission){ 'RO' {$PermissionHex = '0x1'} 'RW' {$PermissionHex = '0x3'} } $ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return} $newValue = "$origValue(A;;$PermissionHex;;;$ADsid)” write-host "CustomSD original value: $origValue" write-host "CustomSD new value: $newValue" $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName" if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){ #NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force $regACL = Get-Acl $Path if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){ write-host "`n$Identity already has ability to read $Path" -f Yellow } else{ write-host "`nAdd $Identity permission to $path" -f Green $rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow') $regACL.AddAccessRule($rule) Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop } } } catch{ throw $_ } } Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO |
The basic gist here is that the CustomSD registry value will contain your new permissions and […]
Ya know what grinds my gears? Getting a CSV of employees without a unique key column – no samaccountname, UPN, email, DistinguishedName, SID – nothing. Sometimes you’ll even get supplied with a column of <firstname><space><lastname> using 3rd party information that doesn’t mesh with AD info either. Nice. The function below can be used with an […]
The vast majority of active directory powershell cmdlets don’t need any enhancement but there is one in particular that I felt could use an alteration: Get-ADGroupMember. When using this command it will return [Microsoft.ActiveDirectory.Management.ADObject] types which can be thrown to a switch statement depending on objectclass and you will get the object’s home AD info. However, when […]
Yet another solution for grabbing Parent OU paths
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$userArr = Get-ADuser -f * -prop CanonicalName foreach($user in $userArr) { if($matches){$matches.Clear()} $user.CanonicalName -match '.*(?=\/)' | Out-Null $user | Add-Member -MemberType NoteProperty -Name 'custom_ParentCN' -Value $matches[0] -Force if($matches){$matches.Clear()} $user.DistinguishedName -match '(?<=,).*' | Out-Null $user | Add-Member -MemberType NoteProperty -Name 'custom_ParentDN' -Value $matches[0] -Force } $userArr | sort surname | select surname,givenname,custom* | ft -a |
Might as well have a recursive function in the first post eh? I stumbled across this script to discover circular Active Directory group memberships but was inspired to get a more visual representation after reading the FAQ section. Group membership details used for demonstration: Script output comparison: The script will pull in all AD groups […]